The Transport Layer Security (TLS) protocol and its predecessor, the Secure Sockets Layer (SSL) protocol, are cryptographic protocols that provide communication security over communication network such as the Internet. TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptographic functions for key exchange and peer entity authentication, symmetric encryption for confidentiality, and cryptographic hash functions in message authentication codes for message integrity.
The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. The TLS protocol is proven to be universal, since the TLS based FTPs, is an alternative for the SSH based sFTP/SCP. In addition to TLS and SSL, DTLS provides secure reliable communication even on unreliable transport as UDP, to give an alternative for IPSec.
For accessing and maintaining distributed directory information services over an Internet Protocol (IP) network, usually the Lightweight Directory Access Protocol (LDAP) is used. LDAP queries are sent by a client to a remote network node. In case LDAP queries are not covered by TLS, the entire protocol run can be read, thus the sensitive result of the LDAP query is visible for an attacker.
When TLS is used, the entire communication is encrypted. In such a situation a perimeter firewall cannot perform deep inspection of the requests to filter out unauthorized or unwanted requests. This issue is relevant for telecommunication nodes (including, but not limited to BSC, MSC, BTS, HLR, RNC, RBS, SGSN, GGSN eNB), when nodes start to use LDAP for user authentication and authorization in the management plane. As an example, the above mentioned nodes need to access the LDAP server of the OSS, which may contain sensitive information as well. In such cases, deep packet inspection of the requests at the perimeter is desirable, while the response should be well protected.
The above problem can be generalized to HTTPs and to FTPs protocols as well, where the requests need to be investigated and the response needs to be secured.